DFW drops the TCP flow when the SEQ/ACK number wraps around the max value of 4 GB.
search cancel

DFW drops the TCP flow when the SEQ/ACK number wraps around the max value of 4 GB.

book

Article ID: 322086

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:

1. DFW drops random TCP flow when the SEQ/ACK number wraps around the max value of 4 GB.

2. The dropped TCP flow is usually a long-lived connection or when the TCP flow starts with a SEQ number near to 4 GB.

3. The issue impacts only the following releases

3.2.3.1
4.1.1     
4.1.2
4.1.2.1

4.  vsipioctl getfilterstat -f <vnic> shows DROP reason counter incrementing for the following parameters when the issue is observed on the application side.

DROP REASON
-----------
state-mismatch:       539             <<<<
seqno outside window: 302             <<<<
seqno old ack:        334             <<<<

5. Packet captures, if taken, show packets at PreDVFilter, but not at PostdVfilter.

6. The TCP sequence/acknowledgment number ranges from (0 - 4294967295), once the max is hit the number roll-over and starts from Zero.
 


Environment

VMware NSX-T Data Center 4.x
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Cause

The TCP sequence/acknowledgment number ranges from (0 - 4294967295), once the max is hit the number wrap around and starts from Zero. This causes DFW to incorrectly update values seqlo and seqhi for the TCP flow, post rollover, causing traffic drop.
This issue is DFW-specific and does NOT impact the Gateway Firewall.

Resolution

This issue is resolved in 3.2.3.2 and above.
This issue is resolved in 4.1.2.3 and above.


Workaround:
1. Use a stateless DFW rule for the TCP flow experiencing the issue.

or 

2. Put the VM on the DFW exclusion list.

Additional Information

Impact/Risks:
Some TCP flows are dropped.